UDP Flood issue (Zywall USG 100)

Options
follet
follet Posts: 32  Freshman Member
First Anniversary 10 Comments Friend Collector
Hello. Today internet works slow. I noticed, that CPU overload (98%) and the Active session list is full too.



I visited log and saw a lot of ADP records:
from Any to ZyWALL, [type=Flood-Detection(8910002)] UDP Flood UDP Flood Action: Block Severity: medium <FLOOD IP:PORT> <MY EXTERNAL IP> ACCESS BLOCK

In the ADP profile I turned logging off and decreased the threshold from 1000 to 500:

In the Firewall menu, I turned on Session limit for 300 second and 50 Sessions per Host In the Session control tab:


But unfortunately, the session pool didn't decrease and the CPU still overload too. Now in the log menu I have list of blocked IP addresses:


What is your suggestion? How to refuse or refuse or stop this attack?

Accepted Solution

  • follet
    follet Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Answer ✓
    Options
    I solved this issue!!!
    I appreciate your help and suggestions!

    I just turned ON the checkbox "Firewall" thus, port 53 closed automatically, and the active session pool became in a normal state!


«1

All Replies

  • mMontana
    mMontana Posts: 1,340  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2022
    Options
    Short UDP Sessions to 30 seconds as a test.
    Which destination ports are involved? You obscured the destination IP, maybe the "bogey" it's inside that IP address?
  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2022
    Options
    set Sessions per Host to 0
    also disable UDP flood 

    If your truly being DDoS not much you can do about it...I would hope the USG makes way for LAN to WAN sessions.
  • follet
    follet Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    mMontana said:
    Short UDP Sessions to 30 seconds as a test.
    Which destination ports are involved? You obscured the destination IP, maybe the "bogey" it's inside that IP address?
    Thank you for your answer:
    The source port is 53, involving just 2 destination IPs: it is my external IP that provided me 2 ISP providers. I decided to hide it for security reasons.
  • follet
    follet Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    PeterUK said:
    set Sessions per Host to 0
    also disable UDP flood 

    If your truly being DDoS not much you can do about it...I would hope the USG makes way for LAN to WAN sessions.
    I logged in my ZyWall and saw 50% of active sessions and 95% CPU.
    When I Disabled UDP flood and set Sessions per Host to 0 - The session become increasing to 70%.
    I enforced to set up previous settings like on screenshot.
  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    follet,
    What is your suggestion? How to refuse or refuse or stop this attack?
    Actually, the ADP feature already blocks the attack for you, but as @PeterUK said, it's not much we can do to stop it if you're attacked by UDP flood.


    James
  • follet
    follet Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

    Actually, the ADP feature already blocks the attack for you, but as @PeterUK said, it's not much we can do to stop it if you're attacked by UDP flood.
    Thank you for your answer. Also, I wonder about ADP policies. I have 5 rules, maybe I can optimize it?



  • follet
    follet Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Also, I see 53 port of both ISP IPs under attack.

    I tested my external IP via site: https://www.openresolver.nl/ and it wrote "good" - No open resolver on IPv4 result.

    Maybe I should check 53 port settings?


  • follet
    follet Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Also as an additional feature I set up firewall to drop UDP DNS (53 port) due to this article: https://community.zyxel.com/en/discussion/9768/abnormal-udp-traffic-detected-source-port-is-zero-drop-port53 but it doesn't release active session pool...
  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2022
    Options
    If your sure its from or to a given port (or by IP) and its low bandwidth you could put a managed switch in front of the USG and drop packets by ACL
  • follet
    follet Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited November 2022
    Options
    Oh no... I check 53 port is open, OMG! Using this service: https://www.yougetsignal.com/tools/open-ports/
    But I can't see this record in my firewall rules...
    I see two rules that block DNS_UDP and DNS_TCP ports.


    How to close 53 port?

Security Highlight